[apparmor] [profile] /etc/cron.daily/logrotate: a couple of DENIED messages.

Sun Nov 20 12:23:07 UTC 2016

Hi Seth and Christian

Today I've decided to test logrotate profile (before send a patch) once
again. After creating profile, put in enforce mode (via 'aa-enforce'
command) I've noticed that permission for two files form the /var/log/
directory was changed. (The same situation as before). I've used chown(1)
and chmod(1) commands to restore correct permission and owner etc.

After this steps, both files have 0 bytes - but there are kern.log.1 and
syslog.1 files. So, I checked kern.log.1 file , which includes:

Nov 20 12:46:39 t4 kernel: [ 1603.444161] type=1400
audit(1479642399.656:85): apparmor="DENIED" operation="exec" parent=3192
profile="/etc/cron.daily/logrotate" name="/usr/bin/head" pid=3193
comm="logrotate" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Nov 20 12:46:39 t4 kernel: [ 1603.581913] type=1400
audit(1479642399.792:86): apparmor="DENIED" operation="rename_dest"
parent=3192 profile="/etc/cron.daily/logrotate"
name="/var/lib/logrotate/status" pid=3196 comm="mv" requested_mask="wc"
denied_mask="wc" fsuid=0 ouid=0

Nov 20 12:46:39 t4 kernel: [ 1603.636432] type=1400
audit(1479642399.848:87): apparmor="DENIED" operation="open" parent=3192
profile="/etc/cron.daily/logrotate" name="/var/lib/logrotate/" pid=3197
comm="logrotate" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Nov 20 12:46:39 t4 kernel: [ 1603.726824] type=1400
audit(1479642399.936:88): apparmor="DENIED" operation="exec" parent=3198
profile="/etc/cron.daily/logrotate" name="/usr/sbin/invoke-rc.d" pid=3199
comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Nov 20 12:46:39 t4 kernel: [ 1603.727289] type=1400
audit(1479642399.936:89): apparmor="DENIED" operation="exec" parent=3198
profile="/etc/cron.daily/logrotate" name="/bin/sleep" pid=3200 comm="sh"
requested_mask="x" denied_mask="x" fsuid=0 ouid=0

Nov 20 12:46:39 t4 kernel: [ 1603.727849] type=1400
audit(1479642399.936:90): apparmor="DENIED" operation="capable" parent=3192
profile="/etc/cron.daily/logrotate" pid=3197 comm="logrotate" capability=0
capname="chown"

Nov 20 12:46:39 t4 kernel: [ 1603.728320] type=1400
audit(1479642399.940:91): apparmor="DENIED" operation="open" parent=3192
profile="/etc/cron.daily/logrotate" name="/var/lib/logrotate/status"
pid=3197 comm="logrotate" requested_mask="wc" denied_mask="wc" fsuid=0
ouid=0

What do you think about the whole thing? Why permission were changed? It
seems, that logrotate profile is responsible for this, but why? Should I
add rules related to the above log entries? If yes, how to do it - I mean
in a secure way.

It seems, that logrotate profile will be much longer etc. Lets look at the
first log: /etc/cron.daily/logrotate, requested_ denied_mask are "x". I
have rule for this in my profile, which is:

/etc/cron.daily/logrotate r,

So, should I use something like this one?

/etc/cron.daily/logrotate mrix,

I don't know what to do for now: remove logrotate profile or leave it for a
couple of days to see the result. Both files: kern.log and syslog are still
0 bytes and nothing is logged.

Best regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161120/d4f6544c/attachment.html>